A massive data breach at a company that produces Internet-connected toys has exposed passwords, emails and more than 2 million private recorded messages between parents and their children.

The breach, discovered by security researcher Troy Hunt, involved data coming from Spiral Toys Inc., the company behind Internet-connected stuffed teddy bears sold under the name of CloudPets that allow children to send messages to their parents and vice versa.

Hunt alleges the data was publicly exposed on an online MongoDB database that required no authentication to access it, meaning that anyone could have accessed the data and downloaded it, and apparently some people did. Hunt notes that searches using the Shodan search engine, a dark web site that indexes open data, along with other evidence indicates that between Dec. 25 and Jan. 8, the customer data was accessed multiple times by different people.

Hunt also found evidence that the data had not only been downloaded by criminals but it was also held for ransom as well — not just once, but multiple times by different actors, each of whom made their own ransom demands.

The only potential positive from the data breach is that the passwords used bcrypt encryption, making them difficult to crack. However, in another monumental security failure, CloudPets had no minimum standards on password strength, meaning that a single letter such as “a” was an acceptable password. That allowed Hunt to decipher a number of passwords by checking them against common terms such as qwerty, 123456 and even the term cloudpets.

Although clearly Spiral Toys is to blame, the data was hosted on Amazon Web Services, causing some experts to call upon cloud hosting providers to do more to keep data they host secured.

“Lax security practices that expose the personal data of children and parents to data-jacking are just unconscionable,” Dome9 Security Chief Executive Officer Zohar Alon told SiliconANGLE. “Customers of public cloud services such as Amazon Web Services and Microsoft Azure have cutting-edge tools at their disposal to manage security in their environments, including identity and access management, network security and application firewalls.”

Alon was somewhat forgiving, adding that even the best tools “can’t save customers from irresponsible behavior. The agility and ease of use of the public cloud make it just as easy to build new apps that don’t take security into account.”

CloudPets isn’t the first smart-toy maker to have data breach or be hacked. Companies such as VTech and Fisher Price have had similar problems, prompting Hunt to deliver advice every parent concerned about the privacy of their children should read:

You must assume data like this will end up in other peoples’ hands…. It only takes one little mistake on behalf of the data custodian – such as misconfiguring the database security – and every single piece of data they hold on you and your family can be in the public domain in mere minutes.

For its part, CloudPets has yet to publicly comment on the security breach.

Image: CloudPets.com